![]() In my case, the request file (named req.txt) contained the following text: POST /search_products.php HTTP/1.1 You don’t need to specify a host or anything related SQLMap will figure that out. One of the beft features of SQLMap is the ability to parse an HTTP request and test all parameters. Getting a shell this way is usually ok, however, due to the nature of this box, I prefered to use SQLMap to upload a better shell. I then tried to run ‘whoami’ on the target machine to confirm that the injection worked: I used this information to create a PHP shell: productName =a ' UNION ALL SELECT 1,' ',3,4,5,6 INTO OUTFILE 'C: \\Inetpub \\wwwroot \\yakuhito.php ' # ![]() After a few tries, I got the following payload: productName =a ' UNION ALL SELECT 1,2,3,4,5,6 #Īccording to the nmap scan, the server was running Widnows. Knowing that the backend DB is MariaDB, I captured the request in Burp and tried sending a valid UNION statement. I assumed the script used an SQL database to store this information and I began testing for injection points. There was a list of products which could be viewed, modified and deleted. After the insertion, the request looked like this:Īfter forwarding the request, the admin panel loaded: Manually Exploiing the SQL Injection To get acces to the admin panel, I opened Burp, intercepted the request and added an ‘X-Forwarded-For’ header. The proxy was probably located at 192.168.4.28. I found the following comment in the main page’s source code: However, I did not know the proxy’s IP address, so I continued enumerating. I assumed that the PHP script checked some headers to verify whether the user is using the proxy or not. When I opened it in a browser, the following page loaded:īecause the site looked custom-made and I accumulated some experience with HTB (see badge at the bottom of the page), I instantly clicked the ‘admin’ button and got the following error page: Nmap done: 1 IP address (1 host up ) scanned in 30.27 were only 3 open ports, and port 80 looked more interesting than the others. ![]() #Sqlmap via limit lines terminated by method windowsService Info: OS: Windows CPE: cpe:/o:microsoft:windows If you know the service/version, please submit the following fingerprint at : Nmap scan report for control.htb (10.10.10.167 )Ĩ0/tcp open http Microsoft IIS httpd 10.0ġ service unrecognized despite returning data. ![]() Without further ado, let’s jump right in! Scanning
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |